>If the superuser on the
>remote host cannot be trusted, or the root account has been
>compromised,This can result in a wide range of compromises
> on the client host.
Anytime you login or open any sort of connection to a remote machine,
that machine has to be able to receive and understand all the commands
you send to it, and by definition so does that machine's super-user.
therefore the vulnerabilities you mention are intrinsic to logging in to
any untrusted machine.
Fixes:
dont use untrusted machines as springboards to login to other machines
all credentials, personal information, and passwords given to
that machine should be unique to that machine.
when allowing that machine to connect to your x-server, ensure
that it is in untrusted mode, to keep malicious clients from
getting access to any but their own data. (this is not foolproof
in fact- xservers need TONS of work on their security aspects.
for now, portability & functionality trump security in a major way.
until such a time as this has changed, restrict your use of remote
x connects to trusted, secured remote machines.
~~~
I imagine that properly done, there would be at least three levels of
access to an Xserver: Full, Restricted and Sandboxed.
Any Xclient connecting with a sandbox credential could not access anything
outside of a certain conspicuous root window, which could not be masked,
and it would allow the DM to drop the credential by closing it.
XDMCP should be tossed, and a secure remote-DM protocol introduced.
The Xprotocol could use SSL, with host&server keys for benefit of the
clients. Cookies should be associated with a given level of access.
